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Abstract. Given positive integers 01, . . . , On,t, the fixed weight subset sum 
problem is to find a subset of the ai that sum to t, where the subset has a 
prescribed number of elements. It is this problem that underlies the security 
of modern knapsack cryptosystems, and solving the problem results directly in 
a message attack. We present new exponential algorithms that do not rely on 
lattices, and hence will be applicable when lattice basis reduction algorithms 
fail. These algorithms rely on a generalization of the notion of splitting system 
given by Stinson I18| . In particular, if the problem has length n and weight 
I then for constant k a power of two less than n we apply a fc-set birthday 
algorithm to the splitting system of the problem. This randomized algorithm 
has time and space complexity that satisfies T ■ S iogk = 0({")) (where the 
constant depends uniformly on k). In addition to using space efficiently, the 
algorithm is highly parallelizable. 



Author's Foreword - January 2012 

While the present paper was being refereed, [5] came out with an improvement 
to the main result. The most interesting aspect that remains is the idea of a fc-set 
splitting system. 



Let ai,...,a n and a target t be positive integers. The ^-weight subset sum 
problem is to find a subset of the ai that sum to i, where the subset has £ elements. 
Equivalently, the problem is to find a bit vector x of length n and Hamming weight 
I such that 



The corresponding decision problem is to determine whether or not a solution exists. 
We will refer to the integer subset sum problem as seeking a solution for ([T]) over 
the integers, while solving the modular subset sum problem involves solving (J]} over 
some ring IjrnL. A modular subset sum problem is random if we assume that the 
ai are chosen uniformly at random from Z/mZ. 

The most important quantity associated with a subset sum problem is its density, 
defined to be lo ™ A in the integer case where A = maxi<i< n ai. In the modular case 
we define density to be lo " m and will refer to it as modular density. Inspired by [7] , 
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we define the information density to be i ogj 4 (^ or ^ nc m teger case) and modular 

information density to be ■ 

The fixed weight subset sum problem is interesting both because it is NP- 
complete and because it has applications to knapsack cryptosystems (see Section 
EJ. A brute force attack on the fixed weight subset sum problem takes 0((™)) bit 
operations. Here O is "Soft-Oh" notation. For functions / and g, we say / is O(g) 
if there exist c,JVeN such that f{x) < ,g(n)(log(3 + g{n))f for all n > N. 

Throughout this paper all logarithms will have base 2. Suppose L is a set of 
integers and a is an integer. Then L — a is the set given by {b — a : b E L} and 
L — a mod m is the set given by {b — a mod m : b G L}. 

2. Prior Work and New Results 

It is a nontrivial matter to apply the standard algorithmic technique of divide- 
and-conquer to problems with fixed weight bit vectors. One solution is to employ 
a fc-set splitting system. Throughout most of this paper we assume that n and £ 
are divisible by k. See Section [S] for a discussion of the general case. 

Definition 2.1. An (n, £, k)-splitting system is a set X of n indices along with a set 
T> of divisions, where each division is itself a set {Ii, . . . ,1k} of subsets of indices, 
with Ii U ■ • • U Ik = X and \Ii \ = ■ ■ ■ = \If.\ = n/k. These objects have the property 
that for every Y C X such that \Y\ — I, there exists a division . . . ,1^} E T> 
such that \Y D Ij\ = l/k for 1 < j < k. We call this division a good division with 
respect to Y. 

All splitting systems will appear in the context of a fixed weight subset problem 
with unknown solution Y. With n and £ understood from context, we will refer to 
an (n, £ , fc)-splitting system as a fc-set splitting system. With Y understood from 
context, we will call a division such that \Y D Ij\ = £/k for all Ij a good division. 

This is a generalization of 2-set splitting systems presented by Stinson in [18j . 
which he called (TV; n, ^-splitting systems. In that paper design theory was utilized 
to minimize N, the number of divisions. 

Two set splitting systems allow for the application of the baby-step-giant-step 
algorithm to attain a square root time-space tradeoff. This had been done before 
Stinson, but without formalizing the notion of splitting systems. A version of this 
algorithm that searches for a good division randomly is presented in [TJ Section 7.3] 
and applied to the fixed weight subset sum problem as a message attack against 
knapsack cryptosystems. Coppersmith developed the same algorithm for use on 
the fixed weight discrete logarithm problem, as well as a version that found a good 
2-division deterministically rather than randomly. Both are presented in [15] along 
with an average case analysis. 

Another line of attack on the fixed weight subset sum problem was revealed 
by the work of Nguyen and Stern [11] . They modified the lattice basis reduction 
technique of [5] to also work for problems of small pseudo-density ^° s ^ . Thus 
problems can be reduced to the closest vector problem on lattices. In practice this 
means that any problem with information density less than one and n less than 300 
or so can be solved by current lattice reduction algorithms. 

We present new algorithms for the fixed weight subset sum problem, which in the 
case of Theorem 12.21 is also a new algorithm for the fixed weight discrete logarithm 
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problem. We use T and S to refer to the exponential term of an algorithm's time 
and space usage. 

Theorem 2.2. There is an algorithm for the fixed weight subset sum problem whose 
time and space constraints lie on the curve T ■ S 2 — (™) . The deterministic version 

takes (9(n 3 ("^) ) bit operations and the randomized version is expected to take 
0(l 3 / 2 ("^) ) bit operations. Both have space complexity 0((™^)). 

Theorem 2.3. Choose parameters m and k so that k is a power of 2, m < 

ana logm > 2(log£;) 2 . A ssume that when reduced modulo m, the are uniformly 
random elements of Z/mZ. Then there is a randomized algorithm for the fixed 
weight subset sum problem whose expected running time is 0(m 1 /( 1 °s*+ 1 ) • (™)/m) 
and which uses O(m 1 / < ' losfc+1 ') space. This gives a point on the time/space tradeoff 
curve T ■ S losk = (™). 

Note that the assumption m < ("^*) implies that the modular information den- 
sity is greater than k. Also note that random fixed weight subset sum problems 
require information density greater than one to ensure a solution exists with high 
probability. This makes Theorem 12.31 a counterpoint to the lattice reduction tech- 
nique employed in Finally note that the hidden polynomial terms include 
Q(£^~), the expected cost of finding a good /c-division (See Proposition 13. This 
limits the applicability of Theorem 12.31 to practical settings. 

The key ingredient of the first theorem is the general decomposition algorithm 
of Schroeppel-Shamir [15] . while the second theorem relies on the fc-set birthday 
algorithm of Wagner [20] . The application of these algorithms to the fixed weight 
setting relies on splitting systems to perform the necessary decomposition. Another 
candidate for the fc-division algorithm is the generalization of Schroeppel-Shamir 
outlined in [TO] (but see [3] for a rebuttal). 

The general idea behind the algorithm of Theorem [23] is the following. We pick a 
parameter m so that the corresponding modular problem has high enough modular 
density for the fc-set birthday algorithm to be successful. Noting that the sought 
for integer solution is included in the set of solutions to the modular problem, we 
construct a modular oracle which outputs one of the modular solutions (nearly) 
uniformly at random. By repeating the modular oracle enough times, we expect to 
eventually find a solution to the original problem over the integers. The choice of 
m determines the point on the time-space tradeoff curve, with larger choices being 
better in the sense that T is smaller. 

The importance of this new work is in improving the space complexity of the 
fixed weight subset sum problem. Theorem l2.2l is a direct improvement of the work 
given in [18], while Theorem 12.31 is the first to give a time/space tradeoff curve 
better than T ■ S 2 for this problem. Although the time bound for the algorithm of 
Theorem [23] will nearly always be worse than 0((™j 2 )) due to the limitations on the 
choice of m, the algorithm is highly parallelizable by simply running the modular 
oracle on several processors at once. Thus with enough processors each will have 
less than wor k to do. An interesting open problem is to generalize the 

work in |10] to the subset sum problem, and then to explore the improvements to 
Theorem 12.31 that result from loosening the upper bound on m. 
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In Section [3] we present the notion of an (n, £, fc)-splitting system and prove 
that they exist assuming fc divides n and I. We prove Theorem 12.21 in Section 
[U develop the modular oracle in Section [5J and prove Theorem 12.31 in Section [5] 
We discuss application to message attacks on knapsack cryptosystems in Section 
[3 experimentally seek the optimal choice of m in Section [8l and finish by proving 
(n, £, fc)-splitting systems exist in general in Section [9l 



3. Splitting Systems 

Recall the definition of k-set splitting system given in the previous section, and 
that for now we assume both n and £ are divisible by A:. In |18j it is proved that 
the probability of a random 2-division being good is J7(^ -1 / 2 ) and that there is a 
trivial construction that yields a 2-set splitting system with n divisions. In this 
section we generalize these results for fc-set splitting systems. Note that design 
theory may yield a construction of a fc-set splitting system with fewer divisions, as 
Stinson showed that a 2-set splitting system exists with at most £ 3 ^ 2 divisions in 

US]. 

The first result is a polynomial bound on the probability of choosing a good fc- 
division randomly. One important note is that the constant depends exponentially 
on fc, so it is important that fc be a fixed parameter. 

Proposition 3.1. The probability of choosing a good k division is bounded below 

i-fc 

by a constant times £ ? . 

Proof. First consider the number of ways of choosing fc sets of n/k items from a 
total of n items. It is 

lfn\fn-n/k\ (n - (fc - 2)n/fc\ _ 1 n! 
k\[n/k)\ n/k )"\ n/k ) ~ fc! (f !) fc 

where the extra term offsets the double counting that results from the fc sets 
being indistinguishable. 

This is also the number of fc divisions. The number of good fc divisions is counted 
by choosing fc equal sized sets from Y and choosing fc equal sized sets from X \ Y, 
Thus the probability of choosing a good fc-division is 

[ ' k\ (|!)fc(n^!)*/ (£!)* • 

We next find upper and lower bounds on (n!)/(^-!) fe . Stirling's formula gives us 
2n n e- n V2^ > nl > n n e~ n V2^ . 
For the lower bound this implies 

n\ 2n"e~"v / 27m , „ „, t / 0/ „ . i-* 

{k , ■) ((£)*/k e -*»/*y£7rn)* 
while similarly for the upper bound we have 

nl n n e~ n \/2irn ,„ _ u,u/o,- ■ \=h 



> " C — — ^= = fc" • 2- fc fc fe / 2 (2 



(f ! ) fe (2(«)™/fc e -"/ fc y / f^) fe 



7rn ) 
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Thus ((5) has a lower bound given by 

1_ k l ■ 2- fc fc fc / 2 (2 7 rl) 1 ^ ■ fc"- £ ■ 2- fc fc fc / 2 (27r(n - l))^ g i_± 

kl k n ■2k k / 2 (2nn) 1 ^ 1 ~°' 

for some constant c that does not depend on I or n, but does depend exponentially 
on k. □ 

Next we construct a fc-set splitting system with fewer than n k ~ 1 divisions, show- 
ing that a good division can be found deterministically in fewer than n k ~ 1 trials. 
This requires first proving that one of the sets Bi = {i + j mod n | < j < n/k} 
satisfies \B t nY\ = l/k. 

Proposition 3.2. Let Y be a subset of {0, . . . , n — 1} of size I. Then there exists 
Bi such that \B t n Y\ = l/k. 

Proof. First note that Bq, B n /^, B2 n /k: ■ ■ ■ ; B^-i)n/k partition the set of n indices. 
Now if \Bq fl Y\ = l/k we are done, so instead suppose (without loss of generality) 
that | .Bo n Y\ > I )k. Then since we have a partition above, one of the Bi for 
i = 0, f , ^, . . . , (fc ~ 1) " must have the property that \B { n Y\ < l/k. Call this set 

Define a function v by v(i) = \Bi n Y\ — l/k and note that \v(i) — v(i + 1)| < 1. 
Since v(0) > and v(j) < 0, there must be some i with v(i) = 0. This completes 
the proof. □ 

The construction now follows by finding each / in turn. 

Proposition 3.3. There exists a k-set splitting system with fewer than n k ~ 1 divi- 
sions. 

Proof. By Proposition 13.21 there exists a Bi such that \Bi n Y\ — l/k. Call it I\, 
and reorder the so that the indices in I\ are the last n/k indices. 

Redefine the Bi so that they still have size n/k, but now wrap modulo n — n/k 
rather than n. Proposition 13 . 2 1 is still valid, and so there exists a Bi C X \ I\ such 
that \Bi fl Y\ = l/k. Call it I2, and reorder the a, so that the indices in I2 are the 
last n — n/k indices. 

By continuing in this fashion, we find a good division. Only I±, . . . , Ik-i need to 
be searched for, since Ik consists of the leftover indices. 

The number of divisions is the product of the number of Bi searched for each of 
h, . . . ,h-i, which is 

n\ f 2n\ ( (k — 2)n N 



□ 



4. Applying Schroeppel-Shamir 



Chor and Rivest in [I] Section 7.3] proposed that the general algorithm of 
Schroeppel and Shamir [T5] may be applicable to the fixed weight subset sum prob- 
lem. In this section we accomplish this, giving a square root time and fourth root 
space algorithm. The only missing ingredient was the idea of a 4-set splitting sys- 
tem. We will assume for ease of exposition that n and I are divisible by 4. See 
Section [5] for the general case. 
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We review the theory of problem decomposition presented in |15j . though we 
specialize to the case of using a good 4-division to solve the ^-weight subset sum 
problem. 

The fixed weight subset sum problem has length n and weight I. By Section[3]the 
problem can be decomposed into subproblems of length j and weight | . As with 
all subset sum problems, this decomposition is sound, complete, and polynomial 
(see [H] for definitions). However, it is not additive, and thus does not satisfy 
Schroeppel-Shamir's definition of a composition operator. Fortunately, this lack 
does not affect the analysis of their algorithm, only the expression of the complexity. 

In order to apply the Schroeppel-Shamir algorithm, our decomposition must have 
two essential properties. 

Definition 4.1. A set of problems is polynomially enumerable if there is a polyno- 
mial time algorithm which finds for each bit string x the subset of problems which 
are solved by x. 

Definition 4.2. A composition operator © is monotonic if the problems of each size 
can be totally ordered in such a way that © behaves monotonically: if |P'| = \P"\ 
and P' < P" then P © P' < P © P" and P' © P < P" © P. 

Define a problem on set j, 1 < j < 4 by (6, {ai | i E Ij}) where x of weight 1/4 
is a solution if 

^ a-iXi = b . 

Define a composition operator by 

P j ®P f = (b + b',{a i | i e ljUlj>}) ■ 

This is polynomial and polynomially enumerable since addition is polynomial time. 
It is sound since if a i x i = b and Y^iei., a i x i = ^' t nen ni , aiXi = b + b'. 

It is complete by the definition of a good division. 

Finally, © is monotonic if we order problems by their solution b, and if this 
is equal then lexicographically by their sets {ai | i E Ij}. For suppose that 
(6', K, . . . , < /4 }) < (6", {<, . . . , < /4 }). Then 

(b' +b,{a' 1 ,..., a' n/4 , ai, . . . , a n/4 }) < (6" + b, {a'{, a" /4 , ai, . . . , a n/4 }) and 

(b + b',{ai,..., a„ /4 , a[,..., a' n/4 }) < (b + b" , {ai, . . . , a„ /4 , a", . . . , a" /4 }) . 

We now state the main theorem in the context of the ^-weight subset sum prob- 
lem. 

Theorem 4.3 (Schroeppel and Shamir [15j). If a set of problems is polynomially 
enumerable and has a monotonic composition operator, then instances can be solved 

in time 0((™/ 4 ) ) and space O(Qjfy). 

The algorithm is summarized as follows. Let P be a problem of length n and 
weight £ for which we seek a solution, and assume we are given a good division. 
For Ii,l2,l3, 14 enumerate all subproblems and store in tables Tj, 1 < j < 4. 

Sort T2 in increasing order and sort T4 in decreasing order. Make two queues 
(with arbitrary polynomial time insertions and deletions) , with the first containing 
pairs (Pi, smallest P2) for all Pi E T-y and the other containing pairs (P3, largest P4) 
for all P4 E P4. Now repeat the following until either a solution is found or both 
queues are empty (in which case there is no solution): compute S = (Pi © P2) © 
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(P3 © Pa) and output S if S = P. If S < P delete (Pi,Pz) from the first queue 
and add (Pi, P^) where P 2 ' is the successor of Pi. If S > P delete (P3, P4) from the 
second queue and add (P3, P4) where P4 is the successor of P4. 

We conclude that if we have a good 4-division, the algorithm of Schroeppel and 
Shamir will solve the problem. By Propositions 13.11 and 13.31 we know that a good 
4-division can be found in 0(n 3 ) trials deterministically or expected 0(£ 3//2 ) trials 
randomly. This inspires the following algorithm for the fixed weight subset sum 
problem. 



Algorithm 1 Schroeppel-Shamir for fixed weight subset sum 

1: Input: positive integers 01, . . . , a n , t, I 

2: Output: x 6 {0, 1}™ of weight I such that X)ILi a i x i = * 

3: while no solution do 

4: choose division D = {ii, I2, 13, 1 a] 

5: for 1 < j < 4 form table Tj of problems, one for each weight £/4 subset of Ij 
6: apply Schroeppel-Shamir to T\ , T2, T3, T4 

7: end while 



Proof of Theorem \2.2l The correctness follows from the monotonicity of ©, see |15j 
for details. From [15) . the maximum number of elements in either queue at any 
one time is ("(4) and the maximum number of steps needed is the number of 

pairs (Pi,Pj) — Q(%) ■ Thus the space complexity of Algorithm [1] is O(Qj^)) and 

the time complexity is (9(n 3 (™^) ) using deterministic splitting and 0(£ 3 ^ 2 ) 
using randomized splitting. □ 

As this work was inspired by Stinson's paper |18j on the fixed weight discrete 
logarithm problem, it is worth noting that Algorithm [T] applies directly to that 
problem as well. 

Also note that given a brute force running time of 0((™)), Algorithm [1] is a 
square root time and fourth root space algorithm, and hence lies on the tradeoff 
curve T ■ S 2 — (™) . This is justified by Stirling's formula, which gives 

P-((")" 4 fe)1- 

5. Modular Oracle 

Having proved Theorem l2.2[ our task in the next two sections is to prove Theorem 
12.31 Along with the notion of a fc-division, the new ingredient needed is an oracle 
that for a given m, returns a random solution of the modular subset sum problem 
over Z/mZ. This oracle will be the multi-set birthday algorithm of Wagner [20] . 
modified for the subset sum problem by Lyubashevsky [5] and proven correct in 
[17] (with complete proofs in |16j). In this section we present the multi-set birthday 
algorithm, modified to output a modular solution uniformly at random. In Section 
[6] we demonstrate how this applies to the integer fixed weight subset sum problem 
to finish the proof of Theorem 12.31 

Suppose we have lists L\, . . . , Lk of N elements drawn uniformly and indepen- 
dently from Z/mZ and a target t. The fc-set birthday problem is to find Si e Li 
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with Y] Sj = t mod to. We can assume without loss of generality that our target is 
0, since if it is not we can replace Lk with L^ — t mod to and the elements will still 
be uniformly generated from Z/mZ. Use the representation that places elements 
in the interval [— ^). 

We will now briefly describe the original fc-set algorithm from [20] . Assume that 
A; is a power of 2, and define parameter p = m^ 1 ^ x ° gk+is> . Let Iq denote the interval 

[— y, ) an d m general let I\ denote the interval f- 11 ^, 222 f-)- Denote by exj the 
list merging operator, so that L\ cxij L 2 is the set of elements old 6 J where 
a G ii, b G L2 and addition is in Z. Let ix be the matching operator, so that 
L\ tx L2 outputs pairs (a, &) with a G Li, 6 G L2 such that a + = (over Z). 

These operators are instantiated as follows. For tXj, start by sorting L\ and Li. 
For each a G Li, search for 6 from L2 that fall in the interval / — a and place all such 
a + 6 in the output list. Note that if L\ and Li have size 2V, then the complexity 
of this operator is 0(N log N) time and space. For tx, sort L\ and apply a random 
permutation to Li. Then for each b G Li, search for —b in L\. The complexity is 
again 0(N log N) time and space. 

The fc-set birthday algorithm proceeds as follows. For level A, 1 < A < logfc — 1, 
we denote lists by L^ and apply the operator c<ij A to pairs of lists. At level log k 
we apply tx to the remaining pair of lists, and every element of L^° gk ^ tx L 2 1 ° sfe ' ) 
is a solution to the problem. Here we deviate from Wagner slightly and have the 
algorithm output a random element from the result of tx to ensure that the output is 
a random modulo to solution. Pseudocode for this algorithm appears as Algorithm 

HI 

Algorithm 2 Modular fc-set Oracle 

l: Input: Lists L\, . . . ,Lk of size N, modulus m, target t 

2: Output: si, . . . , Sk with Sj G Li such that si + ■ ■ ■ + Sk — t = mod to. 

3: Set p = m,- 1 /Q° sk+1 \ ensure that N > l/p 

4: For all list elements use representation in [-|,|) 

5: for level A = 1 to log k — 1 do 

6: apply IX/ A to pairs of lists 

7: end for 

8: apply tx to the final pair of lists (L^° sk \ L { ^ ogk) ) 

9: output an element of £^ losfe ' tx L^ at random 



We assume that with N = l/p, the size of L\ tX/ A L 2 is again a list of size l/p 
for 1 < A < log k — 1 . In [T7] it is proven that list elements at all levels are close to 
uniform. Furthermore, if we assume the initial lists have size a/p and modify the 
listmerge operator so that for each a G L\, exactly one b from Li is chosen so that 
a + b G /, then L^ CXj A L^ again has a/p elements (with exponentially small 
failure probability). Here a is a parameter chosen that depends on the requested 
chance of failure; for our purposes it suffices to know it is bounded by a polynomial 
in n. 

Now, our stated implementation of the listmerge operator keeps all sums a + b G 
I because we want all solutions to have a chance at being found. Since having 
more elements at each level only increases the probability of the fc-set algorithm 
succeeding, we have a rigorously analyzed algorithm if we accept an additional 
complexity factor of — n°W . 
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With the two lists at level log A: each having size a/p and containing (almost) 
uniform elements in the interval [— — /( ^ ' , "* % + )■> we conclude by the work 
in [12] that L^° gk%> x L^ ^^ contains at least one element with positive probabil- 
ity, and thus that Algorithm [5] outputs a solution with positive probability. The 
complexity of the algorithm is the complexity of running ixi/ a total of 2k times, 
for a total of 0{m 1 / ( ^° &k+1 ' 1 ) time and space. 

5.1. Randomizing the Modular Oracle. Note that not every solution to the 
modular subset sum problem could be output by Algorithm [2] Inspired by a sug- 
gestion from [20] , our focus for the rest of this section will be on using Algorithm 
[2] to generate a random solution to the fc-set birthday problem, one which has a 
nearly uniform distribution. 

Define the 2-sums of the problem to be L\ + L 2 , L 3 + L4, . . . , Lk-i + the 
4-sums to be L^+i + £41+2 + ^4i+3 + La+4 for < i < ^j^, and so on up to the 

two fc/2-sums L\ + ■ ■ ■ + L k / 2 an d ^fc/2+1 H + ^k- This term will also be used 

for the corresponding sums of a particular solution (si, . . . , Sfe). We refer to both 
integer sums and modular sums depending on whether the addition is over Z or 
over Z/toZ. 

Let R be a set of ^ — 1 elements of Z/mZ generated uniformly at random. For 
each of the 4-sums, replace the lists L\, L 2 , £3, £4 with L\ + n, L 2 + r 2 , L3 — ri, 
£4 — r 2 where r\ and r 2 are two elements of R. For each of the 8-sums, replace 
Lgi+4 with Lsi+i + r and Lsi+a with L^i+s — r. In general, for each of the 2 :, -sums 
(3 < j < logfc), replace L 2H+23 -i with L 2H+2 j-i +r and L 23i+23 with L 2H+23 - - r. 
All these operations are in Z/mZ. 

In the example of the 8-set algorithm R = {r±, r 2 , r% , , r§ } and lists Li, . . . , Lg 
are replaced by 

L\ + n,L 2 + r 2 ,L 3 - n,L 4 - r 2 + r 5 ,L 5 + r 3 ,L 6 + r 4 , L 7 - r 3 ,L s - r 4 - r 5 . 

We seek to prove that applying Algorithm [2] to lists modified in this way results 
in a solution drawn almost uniformly at random from the space of all solutions to 
the fc-set birthday problem on fixed lists L\, . . . , To classify which solutions are 
possibly output we make the following definition. 

Definition 5.1. Let a solution si + • • • + modified in the above manner by a 

randomizing set R be denoted H h s' k . Call a solution to the modulo m subset 

sum problem viable with respect to a randomizing set R if for 1 < i < log A; — 1, all 
integer 2*-sums s' satisfy s' € I L . 

We will also refer to an individual integral or modular 2 I -sum s' as viable if 

s' e h. 

Algorithm [2] performs additions in Z despite the fact that a modular solution is 
sought. Our goal is to prove that the number of randomizing sets making a solution 
s viable is roughly equal. We first prove this for modular 1 % sums with i > 2 in 
Lemma 15.21 starting with the -|-sums and working down. The integer 2-sums are 
analyzed in Lemma 15.31 from which the main theorem quickly follows. The key 
observation is that a modular solution with viable modular 2 l -sums for all z > 2 
and viable integral 2-sums must also have viable integral 2 I -sums for all z > 2. 

Lemma 5.2. Let ~ > 2 and consider s + t, the sum of two —-sums. Assuming 
that s + t mod m £ I\ogk-i+i, the number of r such that s + r mod to and t — r 
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mod m simultaneously fall in Ii gk-i is at least mp l ° sk l (l — p) — 1 and at most 

■mp losk -\ 

Proof. Call an r value good if s + r mod to € hogk-i and t — r mod m G hogk-i- 
The maximum number of good r values occurs when s + 1 = mod to. The size 
of hogk-i is \mp l ° sk ~ 1 J , and so this is the number of r such that s + r mod to € 
hogk-i- Since s = — i mod to, the same set of r place r — t mod m € h og k-i, and 
the same set of r place i — r mod to 6 hogk-i since the interval is symmetric. 

The minimum occurs when s + t = ±mp s The number of r G Z/toZ 

that place s + r G hogk-i is [mp _ *J- The same set of r values place r — t + 
mp Logk ~ l+1 g hogk-i, but a total of mp logk ~ l+1 of the r values are lost when we 
instead ask for t — r mod to G hogk-i- So the number of valid r values is at least 
[mp^ k - 1 ~ rV°s fe - 4+1 J > rV°s fc - 4 (l - p) - 1. □ 

Suppose that randomizers have been found that place the modular 4-sums of a 
solution in Ii. We now seek to place the integer 2-sums in 1\. Since we will be 
mixing integer addition and modular addition, we use © to signify the latter. Recall 
that we are using [— y, y) as the set of representatives for elements of Z/mZ. 

Lemma 5.3. Suppose that s\ + S2 + S3 + S4 mod to is in I 2 . Then the number of 
pairs [r\,r-i) such that 

(si © r x ) + (s 2 © r 2 ) G h and (s 3 © n) + (s 4 © r 2 ) G 7i 

zs at most TO 2 p and at least (m — 2mp)(mp — mp 2 — 1). 

Proof. First, consider a fixed ri, and let s^ = s\ © ri and S3 = S3 © r\. Then we 
need S2 © 7*2 G Ji — s' 1; where the interval subtraction is over Z. The size of 7i — s' x 
might be as small as ^ if s^ = ± ^ . Since we can choose r 2 such that s 2 © ^2 is any 
element in [— y, y), the number of such r 2 is the size of I\ — s[. Simultaneously 
ri must satisfy S4 © r 2 G /1 — s 3 . There are two extremes, depending on whether 
si + s 2 + S3 + S4 = mod to or si + s 2 + S3 + S4 = zkmp 2 mod to. 

In the first case, s^ © S2 = — (s 3 © S4) and I\ symmetric implies that there are at 
most mp values of ri such that s[ © S2 © ri , s 3 © S4 © r 2 are in I\ . Since switching 
to s 3 + S2 © ri and s' 3 + S4 © ri can only reduce the number of valid ri , mp is an 
upper bound. 

However, if s[ © s 2 = mp 2 (s 3 © S4), then by the same argument from Lemma 
15.21 the number of valid ri for the modular sums is [mp — mp 2 \ . The number of 
valid ri for the integer sums could be smaller depending on the sizes of I\ — s'i and 
h~s' 3 . 

Now consider the size of I\ — s\ and I\ — s 3 depending on n. When r\ shifts 
by one, the intervals shift by one as well. The intervals will have less than full size 
when si © v\ or S3 © r% is less than — y + ^y or greater than y — Hence the 
number of n that make for one of the intervals to have less than full size is at most 
2mp. 

Thus the number of valid pairs (r\,ri) is at most m 2 p (assuming intervals full 
size for all r\ and in case one above) and is at least (m — 2mp)(mp — mp 2 — 1) 
(assuming interval size taken from case two). □ 

Theorem 5.4. Assume that | < I £ e £ A be the event that a solution s = 
si + • • • + Sfc is output by the modular oracle, given that some solution is output. 
Then the distribution of A is uniform within a factor of (1 — 2p) 3k / 4 . 
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Proof. We have Pr[s solution] — Pr[s viable] Pr[s solution | s viable], where we 
leave unwritten the assumption that some solution is output. We first bound 
Pr[s viable]. 

We have si + • • ■ + Sk = mod m. Using the same argument as in the first case 

of Lemma |5.2[ there are mp l ° 6k ~ 1 values of r such that si H + Sk/2 + r mod m 

and Sfc/2+i + • ■ ■ + Sk — r mod m both fall in Ii og fc-i. 

Using this as the base case and Lemma l5.2l as the inductive step, we have upper 
and lower bounds on the number of randomizers at each level. Given randomizers 
that place modular sums in the proper interval, and in particular that place modular 
4-sums in I2 , Lemma 15.31 gives us the number of randomizers that place integer 2- 
sums in I\ . Thus our modified solution s'^ + • • • + s' k is a modular solution with 
integer 2-sums, which since k ■ < m implies that all integer 2 4 -sums lie in li, 
and hence that the solution is viable with respect to those randomizing sets. 

There are a total of to 3 */ 4 - 1 randomizing sets. Combining the bounds from 
Lemmas 15.21 and 15.31 give the following bounds on the number for which s is viable. 

Setting N = \ + 2| + 3y| + ■ • ■ + (log k — 1)| an upper bound is given by 

{m 2 p) k ' A ■ (m P 2 ) k ' B ■ (mp 3 ) fc / 16 • • • (m/^-i) = m 3fc/4-i . p N 
Noting that mp logfc_I — mp logk ~ l+1 — 1 > mp logk ~ l (1 — 2p) a lower bound is given 

by 

(m 2 p(l - 2p) 2 ) k / 4 ■ (mp 2 (l - 2p)) k / 8 ■ (mp 3 (l - 2p)) k ' w ■ ■ ■ (mj? ogk - 1 )(l - 2p) 
= m 3fc / 4 - 1 • (1 - 2p) 3fc / 4 - 1 -p N . 

Thus Pr[s viable] is uniform on the upper bound and uniform within a factor of 
(1 — 2p) 3k / 4 on the lower bound. 

We now consider the second term. Algorithm [2] is written so that for a given 
set of randomizers, a solution is output uniformly at random from the set of vi- 
able solutions. Since the number of viable solutions is bounded by Pr[s viable] 
times the number of solutions, the fact that Prfsviable] is close to uniform makes 
Pr[s solution | s viable] close to uniform, but with the factors on the upper and 
lower bounds switched. 

Thus upper and lower bounds for the probability of the event A are separated 
from uniform by a factor of (1 — 2p) 3fc / 4 . □ 

6. The fc-SET Algorithm 

In this section we utilize the fc-set modular oracle in designing an algorithm for 
the fixed weight subset sum problem. Lyubashevsky [5] was the first to leverage 
an algorithm for the modular subset sum problem out of an algorithm for the A;-set 
birthday problem. Our modifications include dealing with the fixed weight nature 
of the problem by employing a fc-division, and dealing with the integral nature of 
the problem by looping on the modular oracle until an integer solution is found. 
The pseudocode appears as Algorithm [3J 

If I is small compared to k, one could instead solve the (n — £)-weight subset 
sum problem with target (X)"=i a ») — 

Algorithm [2] takes as input uniformly distributed elements of Z/mZ. By the 
work in [6], if a\ mod m,...,a n mod m are uniformly distributed over Z/mZ, 
then random n/fc-length, £/fc-weight subsets of these elements will be exponentially 
close to uniform as long as m < ( T »/f ) ■ If in addition we seed the lists with poly(n) ■ 
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Algorithm 3 Multi-set Algorithm for Fixed Weight Subset Sum 

1: Input: positive integers Oi, . . . , a n , target t, weight £, parameters k, m 

2: Output: x € {0, 1}" of weight £ with X)"=i a i x i = * 

3: while no integer solution do 

4: choose random /c-division (Ji, . . . ,Ik) 

5: choose set R of W — 1 random elements of Z/mZ. 

6: form lists Li, . . . ,Lk of size m 1 ' ( log fc+1 ' whose elements are random subsets 
of weight ^/fe from appropriate 7j, reduced modulo to 

7: apply randomizers from R to lists as described in Section [5.11 

8: apply Algorithm [5] to Li, ifc 

9: if success then 
10: check if integer solution 
11: end if 
12: end while 



TO i/(iogfc+i) elements, then combined with the work of Section [5~T1 we get a rigorous 
analysis of Algorithm [3] 

We now prove Theorem 12.31 (restated here for convenience) by analyzing Al- 
gorithm [3l To solve the integer fixed weight subset sum problem, we make an 
appropriate choice of to, which determines the resulting point on the time-space 
tradeoff curve. The necessary assumption that ? < jr in Theorem 15.41 is satisfied 
by choosing to and k so that logm > 2(logfc) 2 . 

Theorem 6.1. Choose parameters to and k so that k is a power of 2, to < (™(^), 
and logm > 2(logfc) 2 . Assume that when reduced modulo m, the ai are uniformly 
random elements of Z/raZ. Then the expected running time of Algorithm [3] is 
0(m 1 '^° sk+1 ' ■ (") /to) and the algorithm uses 0(TO 1 /( 1 ° sfe+1 - 1 ) space. This gives a 
point on the time/space tradeoff curve T ■ S losk = (™). 

Proof. The probability that Algorithm [3] finds a solution on a particular interation 
of the while loop is the product of three probabilities: the probability that the 
/c-division is good with respect to some unknown solution, the probability that 
Algorithm [2] succeeds, and the probability that the modular solution found by 
Algorithm [2] is also the integer solution. 

By Proposition 13. II the first term is greater than £^~ . The second probability 
is greater than some fixed e by the previous work outlined in Section [5] For the 
third term, we first call upon a theorem of Implagliazzo and Naor [6] (proven 
using the leftover hash lemma) which tells us that with the a% drawn uniformly at 
random from Z/toZ and m < (™), the distribution of random £- weight subsets is 
exponentially close to uniform. Thus we expect the number of modular solutions to 
be a constant times (™)/to. By Theorem l5.4l we conclude that the third probability 
factor is greater than (1 - 2pf k / i ■ m/("). Note that (1 - 2pf k l i > 1 - > \ 
since log to > 2(logfc) 2 implies p — m _1 ^ logfc+1 ' < 

Thus the expected number of iterations of the while loop is 
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The cost of each iteration is dominated by Algorithm^ which takes Oim 1 / ( log k+1 > ) 
time and space. 

Thus AlgorithmOtakes expected time Oim 1 /^ fe+1 ) • (™) /to) and space C^to 1 ^ 108 fc+1 ) ) , 
which is a point on the time and space tradeoff curve T ■ S los k = (™) . □ 

As an example of parameter choices in action, suppose we wish to solve an integer 
fixed weight subset sum problem with an 8-set birthday algorithm. Our conjectural 

maximal choice of to is (™yg) , which is approximately (™) 1 2 . Thus we expect the 

problem to be solved in time 0((™) 1/8 (™) 1/2 ) and space 0((™) 1/S ). 

Note that Algorithm [3] is highly parallelizable, since running it simultaneously 
on N processors increases the probability of success by a factor of N. 

7. Application to Knapsack Cryptosystems 

Knapsack cryptosystem is the term used for a class of public key cryptosystems 
whose underlying hard problem is the integer subset sum problem. Though few 
have remained unbroken, the search for knapsack cryptosystems remains popular 
due to their fast encryption and easy implementation. 

A knapsack cryptosystem is defined abstractly as follows. We have a public key 
(ai, . . . , a n ) defining a hard subset sum problem, and a private key which transforms 
the hard problem into an easy subset sum problem. To send a message x 6 {0, 1}™, 
a user computes t — X)"=i a i x i an< ^ sen ds it. The receiver, who has the private key, 
transforms the problem and then solves the easy subset sum problem to recover x. 

There are two main attacks on knapsack cryptosystems. First, there are key 
attacks which attempt to recover the easy subset sum problem from the public key. 
Second, there are message attacks which attempt to recover the message by solving 
the hard subset sum problem a\X\ + ■ ■ -+a n x n = t. Key attacks are not our concern 
in this paper, we simply note that many systems have succumbed to such attacks, 
the seminal cryptosystem of Merkle-Hellman 9 among them. We focus instead 
on message attacks, which are equivalent to solving the subset sum problem or its 
variants. 

The most successful message attack in theory and in practice is the low-density 
attack that reduces the subset sum problem to the shortest vector problem or the 
closest vector problem, discussed in Section [3J Since unique decryption requires 
2 n < 53iLi a ii an( i hence that the density be no more than a little above 1, these 
results pose a conundrum for the knapsack designer. As a result, modern designs 
have relied on fixing the hamming weight of allowed messages, so that the underlying 
hard problem becomes the fixed weight subset sum problem. This began with Chor- 
Rivest [Tj and continues into the present with the notable OTU scheme Q3] and 
its non-quantum variant 4 ]. In this way n can be made great enough so that the 
density is above one, while the information density stays below one to preserve 
unique decryption. As an added bonus, the fixed weight subset sum problem has 
received much less attention in the literature, and so message attacks remain in 
a primitive state. Until recently the only known algorithm was the square root 
time-space tradeoff algorithm in [TJ Section 7.3]. 

Here we have only scratched the surface of the vast literature on knapsack cryp- 
tosystems. For further information consult the survey |13j . 

The new result in this paper is Theorem 12.21 from which we immediately get a 
message attack that takes square root time and fourth root space. Theorem 12.31 
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is less interesting from this perspective because the large constant and polynomial 
terms, along with the sharp upper bound on the size of m, mean that seldom would 
the /c-division algorithm reach even square root time in practice. 

8. Data and Conclusions 

In this section we explore experimentally two questions related to Algorithm [3] 
The first is to measure the number of times Algorithm [2] succeeds before an integer 
solution is found, and to compare that to the expected number rjj/m. The second 
is to measure the success probability of Algorithm [5] when the modular information 
density is pushed lower than Theorem 12.31 requires. In particular, m cannot be 

larger than (™(^) S since otherwise there will not be enough weight £/k subsets 

to fill the lists Lj, so we choose m between and & + • 

We implemented 2-set, 4-set, and 8-set algorithms for the modular subset sum 
problem and applied them to the integer subset sum problem. We chose not to 
explore the additional impact of searching for a fc-division, since the probability 
calculation is straightforward. We ran these algorithms on a desktop workstation 
on problems with n equal to 24 and an integer density of 0.9. 

In the tables that follow d m denotes the modular density. Each entry represents 
the mean over ten trials, except those marked with a * which represent the result 
after one trial. Let N a be the number of modular oracle successes before an integer 
solution is found. 





dm = 1.5 


dm — 2 


dm = 4 




N 


E[JV ] 


N 


E[A ] 


N 




2-set 


209 


256 


1955 


4096 


353000 


262000 


4-set 


168 


256 


5436 


4096 


260000 


262000 


8-set 


265* 


256 


1831 


4096 


330000 


262000 



The next table explores the effect that parameters m and k have on Algorithm 

m 





d m = 1.5 


dm — 2 


d m = 4 




success % 


time (s) 


success % 


time (s) 


success % 


time (s) 


2-set 


58.9 % 


15 


61.4 % 


28 


58.1 % 


466 


4-set 


19.8 % 


121 


40.5 % 


336 


46.7 % 


1594 


8-set 


0.7* % 


11058* 


11.9 % 


945 


57.2 % 


6069 



Taken together, this data supports our heuristic analysis of Algorithm [3l We 
see that the modular oracle succeeds with some constant probability, and that the 
number of successful oracle calls needed is roughly the expected number (though 
the variance is quite large). 

We also see that despite a lower success percentage, choosing d m as small as 

possible results in a faster running time. There is a boundary beyond which the 

algorithm succeeds too rarely to be of any use, as exemplified by the 8-set algorithm 

with d m = 1.5. A reasonable conjecture places this boundary at d m — log k k+1 , 

since below this point, there are not enough subsets to fill the lists L\, . . . , Lfc with 
TO i/(io g fe+i) e i ements . 
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As k increases the overhead associated with the more complicated algorithms 
outstrips their asymptotic improvement, at least for n = 24. It is unclear how large 
n will have to be before the 8-set algorithm is faster than the 2-set algorithm for 
d m = 4. 

9. Splitting Systems in the Indivisibility Case 

In Section [3] we presented (n, £, fc)-splitting systems and proved their existence 
under the assumption that n and £ were divisible by k. In this section we relax this 
restriction, showing that splitting systems exist when n, I are any positive integers 
greater than k. Let positive integers n, r 2 be defined by n = k • \ n/k\ + r\ and 
£=k-[£/k\+r 2 . 

Definition 9.1. A (n,£,k) -splitting system is a set X of n indices along with 
a set T> of divisions, where each division is itself a set {I\, . . . of subsets of 
indices. Here the Ij partition X and their sizes satisfy |7i| = ••• = |//c-i| = \_n/k\, 
\Ik\ = [n/k\ + r\. A splitting system has the property that for every Y C X such 
that \Y\ = £, there exists a division {Ii, . . . , 6 V such that \Y n J/| = Y£/k\ for 
1 < 3 < k - 1 and \Y H I k \ = [£/k\ + r 2 . 

Again, with n, £, Y understood as parameters of a fixed weight subset sum prob- 
lem we are interested in solving, we refer to an (n, £, fc)-splitting system as a A;-set 
splitting system. 

Most likely a better strategy in practice would be to spread the extra weight 
among the Ij rather than assigning it all to Ik- This definition was chosen to 
quickly demonstrate that nondivision poses no barrier in theory. The key result is 
to prove the existence of this more general structure. In order to do this, we will 
first find Ii, . . . , /fc-i, and leave the remainder of X to Ik- Our candidates will be 

= {i + j mod n | < j < [n/k\ } . 

Given a fixed Y C X of size I, we define a function v be v(i) = \B{ n Y\ — [£/k\ . 

Proposition 9.2. There exists a k-set splitting system with fewer than n k ~ 1 divi- 
sions. 

Proof. Our initial goal is to prove that there must exist an i with v(i) = 0. Consider 
Bq, -B[«/fcJ ' ^2ln/fcJ , ■ * ■ , -B(fc-2) \_n/k\ ■ Define B to be the remainder of the indices 
of X. If v(i) = for one of i — 0, \ n/k\ , . . . , (k — 2) \n/k\ then we are done. If not, 
we wish to find i, i' such that v(i), v(i') have opposite signs. 

If v{i) > for each of i = 0, [n/k\ , . . . , (k — 2) [n/k\ , then the combined weight 
of the corresponding B t is at least (k — 1) \ljk\ + k — 1 and so B must have weight 
less than [£/k\ + r 2 — (k — 1) < \£/k\. Thus in particular B^-i) In/fcJ > the first 
\n/k\ indices of B, must have weight less than [£/k\. 

If v(i) < for i — 0, [n/k\ , . . . , (k — 2) [n/k\ , then the combined weight of the 
corresponding Bi is at most (k— 1) \£/k\ — (k— 1) and so B must have weight greater 
than \^£/k\ + r 2 + k — 1. Then i „ /ju , the first [^/fcj indices of B, must have 

weight greater than [£/k\. For if not, the weight of B is at most [£/k\ + r\ < 
[£/k\ + r 2 + k — 1, a contradiction. 

In either case there is an i with v(i) > and an %' with v(i') < 0. Since 
\v(i) — v(i + 1)| < 1, there must be an % with v (i) = 0. Label the corresponding set 

h. 
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We now remove the indices in I\ from consideration, relabel the indices 0, . . . , n— 
[n/k\, and seek an i such that 5|™ _ L™/ fe J) ^as weight [£/k\. Using the same 
reasoning as above, one must exist. 

In this fashion 7i, . . . , Ik-i can be found. The remaining indices make up Ik- 
The number of divisions needed to satisfy this process is 

n(n - [n/k\)(n - 2[n/k\) ■ ■ ■ (n - (k - 2)[n/k\) < n k ~ 1 . 

□ 



Next we discuss the effect on running times. For the Shroeppel-Shamir algorithm, 

11/H+3J rimC anCL \ [t/4,}+3) 



the main terms of the complexity bounds become (|™/4|+f) time and (|™/4|+f) 
space. Since 

the complexity is worse by at most a polynomial factor. A similar result holds for 
the modular oracle. The polynomial factor becomes (n/£) k , which is polynomial 
for constant k. 
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